Imagine if a burglar broke into 61% of the homes in your neighborhood? Would you a) Keep doing what you’re doing – locking the doors and closing the windows – and hope that you remain safe? Or, b) Up your game by installing a sophisticated alarm system, buying a guard dog and deploying other methods to protect your family?
If you chose option A, that’s exactly what is happening today in third-party cyber risk. 61% of companies surveyed in the US have experienced a data breach caused by one of their vendors or third parties. But many enterprise organizations continue to deploy archaic defense strategies that include tactics proven to be ineffective. Tactics that include surface scans that make cyber posture assertions based on publicly available data, spreadsheet-based security questionnaires with no validation and “once every three years” discussions that do not an accurately reflect a third party’s dynamic security posture.
To make matters worse, this ineffective strategy places an unnecessary burden on third parties who are forced to answer hundreds of spreadsheet-based security questionnaires. It’s equivalent to an auditor showing up on your doorstep to review your finances before issuing a credit card. The only difference is you’re applying for 500+ cards a year….and the auditor performs the same review every time.
Attackers are opportunistic, love money, and like most, seek the path of least resistance. As enterprises have invested millions on people, processes and technology to defend their networks, attackers have discovered that it’s expensive and time consuming to breach a large company with strong defenses in place. They’ve found an easier, more cost-effective and lucrative way to earn a living – third parties.
For the last six years, I’ve been fortunate to focus on helping enterprises and third parties work to improve their third-party cyber risk management programs. The thought of gaining visibility into hundreds or thousands of third parties’ security posture over the life of a relationship is daunting. To make the challenge even more difficult, third parties are fed up with the hundreds of requests they receive to “complete my custom security questionnaire.” I rarely speak with a business leader who feels confident their defenses adequately meet the risk of their data being in the hands of thousands of third parties.
In the next few paragraphs, I’ll define my view – informed by these discussions – on why third-party cyber risk represents the nexus between the market’s top cyber risk vector and the most archaic way of defending against the threat. For an attacker, this equals the path of least resistance.
In order for my argument to be credible, I must first provide evidence that third-party cyber risk is a real and substantial threat vector. For this, I’ll lean on surveys and statistics:
- According to an Opus and Ponemon study, 59% of companies said they have experienced a data breach caused by one of their vendors or third parties. In the US, that percentage is even higher at 61%. Source
- In the same study, 22% of respondents admitted they didn’t know if they’d had a third-party data breach in the past 12 months. Overall, more than three-quarters of organizations believe that third-party cybersecurity incidents are increasing. Source
- According to the 2016 PWC Global State of Information Security Report, “third-party contractors are the biggest source of security incidents outside of a company’s employees.” Source
- Although there seems to be significant awareness of third-party risk, with 60% of respondents in a recent NTT Security report pointing to third parties as the weakest security link in their organizations, most companies simply aren’t doing enough to assess or mitigate that risk.
It’s easy to make an assertion that if third parties are the biggest source of security incidents and 60% of surveyed companies have been impacted by a third-party data breach, the current defense strategy isn’t working. But let’s dig more and explore the most widely deployed “defense” strategy being used by some of the world’s largest companies.
Today’s most common method of addressing third-party cyber risk is akin to a life insurance underwriter “eyeballing” an applicant before issuing a premium on a $20m policy.
A spreadsheet based security questionnaire is issued to the third party via email or a GRC tool, responses are received and reviewed manually and remediation advise is issued. In most cases, this is where the process ends with limited resources available for follow up. The exercise is focused primarily on data collection and compliance with only a small percentage of companies performing ongoing risk management.
The good news is that statistics indicate that market participants are aware of the inefficiencies of this model:
- Deloitte’s Global Outsourcing Survey found that 72% of respondents didn’t have adequate tools and processes in place to manage third parties.
- Third party involvement is the single biggest factor to increase average cost per data breach.
- According to ESG research, 73% of IT professionals believe that cyber risk management is more difficult today than it was two years ago.
Recently (January 23, 2019), a third-party breach was revealed where a trove of more than 24 million financial and banking documents, representing tens of thousands of loans and mortgages from some of the biggest banks in the US, was found online after a server security lapse by a New York-based third party called OpticsML. Source
As businesses face increased regulatory scrutiny around their third-party programs, experience an explosion in the number of third parties in their ecosystem and continually see the news light up with breaches involving third parties, where is the answer? How can CISO’s gain more visibility and ultimately lower third-party risk at scale?
Simply put, there is one thing every organization must do to achieve scale, enable a cost effective approach and truly manage cyber risk. Whether you’re a large, multinational corporation or a small school district, you must leverage a community and crowdsourced approach that brings enterprises and third parties together to enable visibility, scale and drive cost efficiencies.
An exchange-based approach enables the following:
- Enterprise A shares sensitive data with Vendor 1.
- A comprehensive and validated cyber security assessment is performed on Vendor 1
- Vendor 1’s assessment is now available in an exchange for Enterprise B to access (with Vendor 1’s authorization)
While there are many nuances that involve methods to ensure freshness of the data, analytics and other dashboards to interact with the data, it’s easy to see how an exchange streamlines the process and drives massive time and cost efficiencies for both sides.
Until the market comes together, acknowledges that customized security assessments are the cause of the problem and standardizes the approach, attackers focused on third parties will continue to thrive. At CyberGRX, we’re working hard to help solve this difficult challenge. We hope you’ll join our community as we work together to drive innovation, progress and ultimately, a reduction in both risk and spend in third-party cyber risk management.